Understanding PGP & GPG: How Encryption Keeps Our Emails Safe

A friendly introduction to email encryption using PGP/GPG, how it works technically, how you can use it in your everyday life, and why it's still relevant in the age of Gmail and Outlook.

5 min read

5/6/2025

email-security

encryption

gpg

open-source

pgp

privacy

security

🔐 Understanding PGP & GPG: How Encryption Keeps Our Emails Safe

Introduction

If you’ve ever heard terms like PGP, GPG, or email encryption tossed around, you might’ve thought, “That sounds complicated and probably not for me.” But in reality, these technologies are both powerful and surprisingly practical—even for non-hackers.

PGP (Pretty Good Privacy) and its open-source cousin GPG (GNU Privacy Guard) help ensure that your digital messages and files stay confidential and tamper-proof. Whether you’re a journalist protecting sources, a developer sharing credentials, or just someone who values privacy, PGP/GPG gives you serious security superpowers.

🧊 A Simple Explanation of How It Works

Imagine mailing a letter in a transparent envelope versus one in a locked box. PGP/GPG is like sending your emails in a locked box that only your recipient can open, and they can prove that you were the one who sent it.

It uses something called public-key cryptography, where:

You have a private key (keep it secret).
Others use your public key to send you encrypted stuff.
You use your private key to read it.

Want to sign a file or message to prove it’s really from you? You use your private key to digitally sign it, and anyone with your public key can verify the signature.

⚙️ How PGP/GPG Works Under the Hood

1. Key Pair Generation:

You generate a public/private key pair.
Your public key is shared widely. Your private key never leaves your machine.

2. Encrypting a Message:

Someone uses your public key to encrypt a message.
Only your private key can decrypt it.

3. Signing a Message:

You use your private key to generate a digital signature.
Others can verify it using your public key.

4. Hybrid Encryption:

PGP doesn’t encrypt messages with your key directly—it uses symmetric encryption (like AES) for performance.
Then it encrypts that AES key with your public key. It’s fast and secure.

5. Web of Trust:

Rather than relying on a central authority (like SSL certs), PGP builds trust through key-signing between people, a bit like a social network of trusted identities.

🌍 Why Encryption Still Matters

Even in 2025, email is one of the most insecure forms of communication. Emails are:

Stored in plain text unless encrypted
Stored indefinitely on servers
Easily spoofed and tampered with

Using encryption:

Protects personal data from surveillance
Safeguards business communications
Verifies sender authenticity
Helps journalists, activists, and regular users stay safe in hostile environments

Even if you’re not hiding anything, privacy is still a right not a confession of guilt.

📧 How PGP/GPG Works with Gmail, Outlook, or Thunderbird

You might be wondering: “how do I use this stuff with modern email clients?”

Gmail

Gmail doesn’t natively support PGP.
Use browser extensions like:
- Mailvelope (Chrome/Firefox): Adds PGP encryption to Gmail’s web UI
- FlowCrypt: Easy-to-use encryption plugin for Gmail

Outlook

Outlook needs plugins such as:
- Gpg4win (Kleopatra): A Windows suite with GPG support for Outlook
- Outlook Privacy Plugin: Simple encryption UI (but less maintained)

Thunderbird (Best Option)

Thunderbird with the built-in OpenPGP support (since v78+) makes it the best desktop email client for GPG.
You can:
- Generate/import keys
- Encrypt, decrypt, sign, and verify emails
- Manage contacts’ public keys easily

It’s the most seamless and secure experience today for PGP/GPG usage.

🧠 How it works for devs and curious people

🔑 Key Pair Generation

When you run gpg --gen-key, GPG creates:

A public key: which you share with others
A private key: which you keep secret

These keys are mathematically linked, typically using RSA, ECC (Curve25519), or ElGamal.

Under the hood:

RSA key generation involves choosing two large prime numbers (p and q), then calculating:

n = p * q (used as modulus)
e as public exponent (commonly 65537)
d as private exponent (satisfies: (e * d) % φ(n) = 1)

These keys are stored in your GPG keyring:

~/.gnupg/pubring.kbx  # public keys
~/.gnupg/private-keys-v1.d/  # private keys

📦 Encrypting a Message (Hybrid Encryption)

Why hybrid? Because RSA is slow for large data. So instead:

A random symmetric session key (e.g., AES-256) is generated.
The actual message is encrypted using this AES key.
That AES key is then asymmetrically encrypted using the recipient’s public key.
Both encrypted payloads (message + session key) are bundled into the final PGP message.

💡 This makes decryption fast while keeping asymmetric guarantees.

🔏 Signing a Message

Signing proves authenticity and integrity:

The message is hashed (e.g., SHA-256) to create a digest.
That hash is encrypted with your private key to form a digital signature.
The recipient:
- Re-hashes the message
- Decrypts your signature using your public key
- Compares both hashes to verify you really signed it

In code, it’s roughly:

signature = encrypt(hash(message), senderPrivateKey);
verify(hash(message), signature, senderPublicKey); // should match

📜 The Structure of a PGP Message

PGP messages are usually ASCII-armored and follow a structure like:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQGMAx...
<encrypted symmetric key>
<encrypted message payload>
...
-----END PGP MESSAGE-----

GPG internally stores this in OpenPGP format (RFC 4880), a binary packet format that includes:

Public-Key Encrypted Session Key Packet
Symmetrically Encrypted Data Packet
Literal Data Packet (your file/message)

🔄 Decryption Flow (TL;DR)

GPG uses your private key to decrypt the symmetric AES key.
AES key decrypts the actual message payload.
If it’s signed, GPG also uses the sender’s public key to verify the signature.

🔁 Example Commands

Encrypt & Sign a Message

gpg --encrypt --sign --armor -r recipient@example.com message.txt

Decrypt a Message

gpg --decrypt encrypted.asc

Generate a Key Pair

gpg --full-generate-key

Export Your Public Key

gpg --armor --export you@example.com > public-key.asc

🕸️ A Note on the Web of Trust

Unlike TLS, PGP doesn’t use Certificate Authorities. Instead, people sign each other’s keys to vouch for their authenticity.

You can sign someone’s key like this:

gpg --sign-key contact@example.com

And check trust paths with:

gpg --check-sigs contact@example.com

This creates a decentralized “web of trust,” rather than relying on a central server.

🛠️ Summary for Devs

Concept	Cryptographic Mechanism	Purpose
Key Pair	RSA / ECC	Identity & trust
Message Encryption	AES (symmetric)	Efficient payload encryption
Key Encryption	RSA (asymmetric)	Secure key exchange
Signing	Hash (SHA-256) + RSA	Authenticity & integrity
Web of Trust	Manual key signing	Decentralized trust model

📚 More Resources & Learning

Introduction to GPG – The GNU Privacy Handbook
EFF’s Surveillance Self-Defense – Practical privacy tools and tips
Keybase.io – A directory of cryptographically verified identities
Proton Mail – Free secure email with automatic PGP support
Gpg4win – The official Windows GPG suite

🧠 Final Thoughts

PGP and GPG might sound like tools for techies, but they’re actually empowering tools for anyone who wants to take control of their digital privacy. You don’t have to encrypt every email you send—but learning how to use encryption tools like GPG gives you the option when it matters most.

Privacy isn’t just for tech nerds anymore, it’s for everyone.